Android-Password-Store icon indicating copy to clipboard operation
Android-Password-Store copied to clipboard

Published 20 hours ago verified publisher icon android-password-store

[FEATURE] Integrate hwsecurity to leverage PIV (for Solo v2 keys)

Open colemickens opened this issue 4 years ago • 6 comments

Is your feature request related to a problem? Please describe.

Not really.

Solo Keys is having a v2 with Rust-based firmware. It seems, at launch, they expect to only provide a PIV-based application, and not an OpenPGP-based application.

I understand that on Windows and Linux, I have options, such as using gnupg-pkcs11-scd.

Describe the solution you'd like

Using this GPLv3 library to perform encrypt/decrypt operations via PIV/smartcard : https://github.com/cotechde/hwsecurity/tree/master/hwsecurity/piv/src/main

  1. encrypt/decrypt store entries
  2. used for the SSH auth to sync the store entries as wells (this is less important to me, I suppose, I could start syncing my password store with Syncthing).

Describe alternatives you've considered

The only alternative seems more expensive: write an OpenPGP app for the Trussed firmware.

Additional context n/a

Thank you very much for Password Store. I understand if this is out-of-scope, but I thought I'd ask, I'd really like to switch to open-(firmware-)source keys.

colemickens avatar Aug 14 '21 07:08 colemickens

I don't have the time yet to actually look through the code but the simple fact that none of the maintainers own a SoloKeys product (to my knowledge) makes it a non-starter for us to work on it.

If someone can volunteer time to contribute this I'd be happy to assist them. Alternatively, sponsoring one of the maintainers for their time and whatever the cost ends up being for procuring one of Solo's security keys can also be an option if anyone from @android-password-store/devs is up for it.

msfjarvis avatar Aug 14 '21 08:08 msfjarvis

We'd be happy to send over a few keys for contributors, just drop an email to [email protected] if there is developer interest.

Thinking experimentally, there are a few projects named "passage", i.e. pass backed by age instead of pgp, including some with PIV backend. Also FYI, Nitrokey has plans to develop a PGP app, that would then run on both vendors' keys as they reuse our Trussed framework.

nickray avatar Aug 23 '21 00:08 nickray

We'd be happy to send over a few keys for contributors, just drop an email to [email protected] if there is developer interest.

Great, I'll have a chat with the maintainers and see who all are willing to take this feature up.

Thinking experimentally, there are a few projects named "passage", i.e. pass backed by age instead of pgp, including some with PIV backend. Also FYI, Nitrokey has plans to develop a PGP app, that would then run on both vendors' keys as they reuse our Trussed framework.

I've already been burned by OpenKeychain's poorly designed app locking us into its ecosystem then going into maintenance mode, so I'm very unlikely to switch to a different external app for PGP anytime soon. We're in the process of introducing a new PGP backend powered by Gopenpgp which we intend to fully switch over to in APS v2.

Re: passage and PIV, we've refactored a fair chunk of the crypto code to allow multiple backends and there is maintainer interest in age, so we will likely be supporting it once Filippo's official version of passage is out.

msfjarvis avatar Aug 23 '21 03:08 msfjarvis

I'm very much looking forward to replacing my usage of GPG with hardware tokens for SSH authentication and pass encryption with PIV/age. I don't think the age ecosystem is quite there yet though, but it also doesn't make sense to implement PIV support now if not backed by age. Based on my understanding of the ecosystem, the following parts are still missing:

  • [ ] an age port of desktop pass
  • [ ] stable age plugin support for PIV tokens
  • [ ] an age plugin for yubikey-agent to match gpg-agent in using PIV for decryption and SSH auth simultaneously

Once these exist, I would happily work on the following ingredients on getting age support into APS:

  1. a Java/Kotlin library implementation of enough of age to support both PIV and standard age key file recipients
  2. an APS backend for PIV decryption that defers to the Cotech SDK
  3. (maybe) an additional backend that uses an age key stored in the Android Keystore

fmeum avatar Aug 23 '21 06:08 fmeum

Status update on the required components

  • an age port of desktop pass

Filippo has an alpha release available for his port of pass, passage.

  • stable age plugin support for PIV tokens

This has yet to happen in the reference Go implementation, but the rage implementation written in Rust offers a first-party Yubikey plugin: age-plugin-yubikey.

  • an age plugin for yubikey-agent to match gpg-agent in using PIV for decryption and SSH auth simultaneously

This does not exist yet. It's briefly discussed in the age-plugin-yubikey README noting why this is currently unimplemented.

msfjarvis avatar Dec 26 '21 13:12 msfjarvis

I'm working through the list on my side and making progress! :)

https://twitter.com/FiloSottile/status/1469041023196221444

Feel free to @ me if I can help with roadmap planning, design decisions, or fixing things on our side to make this possible!

FiloSottile avatar Dec 26 '21 19:12 FiloSottile